Transcript Review For Exam 1 notes

Review For Exam 1
(February 12, 2014)
© Abdou Illia – Spring 2014
Introduction to
Systems Security
The PTP framework
 Any security system must have 3 key
elements
 People (users and IT staff, customers, etc)
 Technology (firewall, IDS, antivirus, etc.)
 Policies (Safe-Use policy, password policy,
privacy policy, etc.)
 People are usually the weakest link
3
Preventing Security Threats

Use anti-virus software

Use software firewall

Use hardware/appliance firewall

Use Intrusion Defense Systems

Use Intrusion Prevention Systems

Install OS updates

Install applications’ updates

Not open file attachments from unknown sources

Not click URL in emails from unknown sources

Social engineering tests/Mock phishing schemes

Awareness training

Acceptable computer use policy

Password policy

Etc.
4
Countermeasures
 Tools used to thwart attacks
 Also called safeguards, protections, and controls
 Types of countermeasures

Preventative

Detective

Corrective
5
The Plan-Protect-Respond cycle
Figure 2-6
Dominates security management thinking
6
6
Access Control and Site
Security (Part 1)
Dialog attack: Eavesdropping
 Intercepting confidential message being transmitted
over the network
Dialog
Hello
Client PC
Bob
Server
Alice
Hello
Attacker (Eve) intercepts
and reads messages
8
Dialog attack: Message Alteration
 Intercepting confidential messages and modifying
their content
Dialog
Balance =
$1
Client PC
Bob
Balance =
$1,000,000
Balance =
$1
Server
Alice
Balance =
$1,000,000
Attacker (Eve) intercepts
and alters messages
9
Denial-of-Service (DoS) attack
Message Flood
Server
Overloaded By
Message Flood
Attacker
10
Break-in and Dialog attacks:
Security Goal

If eavesdropping, message alteration attacks
succeeded, in which of the following ways the
victims could be affected?
a) Data files stored on hard drives might be deleted
b) Data files stored on hard drives might be altered
c) Corporate trade secret could be stolen
d) Competitors might get the victim company’s licensed info
e) Users might not be able to get network services for a
certain period of time
f)
The network might slow down
Confidentiality = Main goal in implementing defense
systems against eavesdropping and message alteration.
11
Defense tool: encryption, hashing, etc.
Malware attacks: Security Goal

If virus attacks succeeded, in which of the
following ways the victims could be affected?
a)
Data files stored on hard drives might be deleted
b)
Data files stored on hard drives might be altered
c)
Corporate trade secret could be stolen
d)
Competitors might get the victim company’s licensed info
e)
Users might not be able to get network services for a
certain period of time
f)
The network might slow down
Integrity = Main goal of implementing defense systems
against malware attacks.
Defense tool: antivirus, IDS, IPS
12
DoS attack: Security Goal

If a DoS attack succeeded, in which of the following
ways the victims could be affected?
a)
Data files stored on hard drives might be deleted
b)
Data files stored on hard drives might be altered
c)
Corporate trade secret could be stolen
d)
Competitors might get the victim company’s licensed info
e)
Users might not be able to get network services for a
certain period of time
f)
The network might slow down
Availability = Main goal of implementing defense
systems against DoS attacks.
Defense tools: firewalls, IDS, IPS
13
Security Goals
 Three main security goals:
Confidentiality of communications and
proprietary information
Integrity of corporate data
Availability of network services and
resources
CIA

Authenticity: ensuring that the data, transactions, communications or documents are genuine. Also
validating that both parties involved are who they claim to be.

Non-repudiation: Ensuring that one party of a transaction cannot deny having received a transaction nor
14
can the other party deny having sent a transaction.
Question
 Which of the following action may be taken
in order to strengthen the confidentiality of
companies’ proprietary information?
a) Prevent employees from accessing files not needed
in their job
b) Limit the number of computers each employee could
use for logging in to the network
c) Encrypt any communications involving passwords
d) All of the above
15
What is Access Control?
 Access control is the policy-driven limitation
of access to systems, data, and dialogs
 Access control prevents attackers from
gaining access to systems’ resources, and
helps stop them if they do
16
What is Access Control?
 AAA process

Authentication: supplicant sends credentials
to verifier to authenticate the supplicant

Authorization: what permissions the
authenticated user will have


What resources he or she can get to at all

What he or she can do with these resources
Auditing: recording what people do in log files

Detecting attacks
17
Reusable Passwords
 Used to repeatedly to get access to a
resource on multiple occasions
 Bad because attacker could have time to
crack it
 Difficult to crack by remote guessing

Usually cut off after a few attempts

However, if intruder steals the password file,
he/she can crack passwords at leisure
18
Password Cracking
 With physical access or with password file in hand,
attacker can use password cracking programs
Program
Windows
L0phtcrack (now LC5)
√
Ophcrack
√
John The Ripper
√
√
RainbowCrack (uses lookup tables and hash functions)
√
√
√
Crack
Cain & Abel
Linux
√
 Programs usually come with "dictionaries" with
thousands or even millions of entries of several kinds
 Programs use brute-force cracking method
 Used by network admins to locate users with weak
password, and by attackers.
19
20
Brute-force password cracking
 Dictionary cracking vs. hybrid cracking
 Try all possible character combinations
 Longer passwords take longer to crack
 Combining types of characters makes cracking
harder
 Alphabetic,
no case (26 possibilities)
 Alphabetic,
case (52)
 Alphanumeric
 All
(letters and numbers) (62)
keyboard characters (~80)
21
Figure 2-3: Password Length
Password
Length In
Characters
Alphabetic,
No Case
(N=26)
Alphabetic,
Case
(N=52)
Alphanumeric:
Letters &
Digits (N=62)
All Keyboard
Characters
(N=~80)
1
26
52
62
80
2 (N2)
676
2,704
3,844
6,400
4 (N4)
456,976
7,311,616
14,776,336
40,960,000
6
308,915,776
19,770,609,664
56,800,235,584
2.62144E+11
8
2.08827E+11
5.34597E+13
2.1834E+14
1.67772E+15
10
1.41167E+14
1.44555E+17
8.39299E+17
1.07374E+19
Q: Your password policy is: (a) the password must be 6 character long, (b) the password should
include only decimal digits and lower case alphabetic characters. What is the maximum number of
passwords the attacker would try in order to crack a password in your system?
22
Cracking techniques
 Dictionary attack
Fastest way to crack password. A “dictionary” file (a text file full of dictionary
words) is loaded into a cracking application, which is run against user
accounts located by the application.
 Hybrid attack
Will add numbers or symbols to the search words to successfully crack a
password. Many people change their passwords by simply adding a number
to the end of their current password.
 Brute force attack
More suitable for complex passwords. May take a long time to work
depending on the complexity of the password. Program will begin trying any
and every combination of numbers and letters and running them against the
hashed passwords on the computer. Passwords composed of random
letters numbers and characters are most vulnerable to this type of attack.23
Password Policy
 Shared passwords

Not a good policy

Remove ability to learn who took actions; loses
accountability

Usually is not changed often or at all because of
need to inform all sharers
24
Questions
Q.1. ABC Inc. has a network with three users. The users have the following
usernames: aillia, jwillems, vhampton. A shared-password policy implemented by the
network administrator allowed the users to logon with the password abc123. Last night
someone committed an attack stealing sensitive corporate information after elevating
the privileges associated with the account they used to logon. Which of the following is
true? (Choose all that apply)
a)
b)
c)
d)
the audit log file can be checked to determine at what time the attacker logged in
the audit log file can be checked to determine which user account was used in
committing the attack
the audit log file can be checked to determine who committed the attack
all of the above.
Q.2. If your answer to Q.1 above indicates that at least one of the statements is not
true, explain why.
__Any of the three username can be used to log in with the shared password.
Therefore, it is impossible to tell which o the three was used.____
25
Summary Questions
 What are the main security goals?
 What security goal is jeopardized by a successful
eavesdropping attack?
 What is the difference between dictionary cracking
and hybrid cracking?
 What is a shared password? Do you recommend
shared passwords? Why?
26
Alternatives
to password
 Access Cards


Magnetic stripe cards
Smart cards

Have a microprocessor and RAM

Can implement public key encryption for
challenge/response authentication
 Token


Constantly changing password devices for
one-time passwords
USB plug-in tokens
27
Alternatives to password (cont.)
 Proximity Access Tokens

Use Radio Frequency ID (RFID) technology

Supplicant only has to be near a door or
computer to be recognized
 Two-Factor Authentication
◦
◦
Access card: 1st factor
PINs for the second factor



Short: 4 to 6 digits
Can be short because attempts are manual
Should not choose obvious combinations (1111,
1234) or important dates
28
Alternatives to password (cont.)
 Biometric Authentication


Authentication based on biological (bio)
measurements (metrics).

Biometric authentication is based on something
you are (your fingerprint, iris pattern, face, hand
geometry, and so forth)

Or something you do (write, type, and so forth)
The major promise of biometrics is to make
reusable passwords obsolete
29
Alternatives to password (cont.)
30
Resources Access Control
Part 2
Wireless telecomm control
 IEEE* is a professional association that

Is dedicated to advancing technological
innovations

Develops standards for wired LAN devices

Develops standards for Wireless LAN (WLAN)
devices
 Wi-Fi Alliance is a trade association that

at promotes Wireless LAN technology

Certifies products if they conform to certain
standards
* Institute of Electrical and Electronics Engineers
32
IEEE 802.11 WLAN standards
Unlicensed Band
Rated Speed
# of channels
802.11b
802.11a
2.4 GHz
5 GHz
802.11g
2.4 GHz 2.4 GHz or 5 GHz
≤11 Mbps ≤ 54 Mbps ≤ 54 Mbps
3
802.11n 802.11ac*
12
≤ 150 Mbps
13
2.4/5 GHz?
≤866 Mbps
13
802.11n








Service band 2.4 - 2.4835 GHz divided into 13 channels
Each channel is 40 MHz wide
Channels spaced 5 MHz apart
Channel 1 centered on 2412 MHz. Channel 13 centered on 2472 MHz
Transmissions spread across multiple channels
802.11b and 802.11g devices use only Channel 1, 6, 11 to avoid transmission overlap.
AM radio channels have a 10KHz bandwidth
FM radio channels: 200KHz bandwidth
* Under development
33
802.11 Wireless LAN operation
 802.11 refers to the IEEE Wireless LAN standards
Ethernet
Switch
(2)
802.3 Frame
Containing Packet
(3)
Access
Point
802.11 Frame
Containing Packet
(1)
Server
Notebook
with wireless NIC
Client PC
34
802.11 Wireless
LAN operation
Ethernet
Switch
1. If the AP is 802.11n-compliant, it could communicate
with the notebook even if the notebook has a 802.11a NIC.
T
F
2. Given what you know about WLAN operation, where (i.e. on which device)
security should be implemented to prevent unauthorized devices from
accessing network services?
(2)
802.3 Frame
Containing Packet
(1)
802.11 Frame
Containing Packet
Access
Point
(3)
Server
Client PC
Notebook
With PC Card
Wireless NIC
35
Summary Question (1)
 Which of the following is among Wireless
Access Points’ functions?
a) Convert electric signal into radio wave
b) Convert radio wave into electric signal
c) Forward messages from wireless stations to
devices in a wired LAN
d) Forward messages from one wireless station to
another
e) All of the above
f) Only c and d
36
MAC Filtering
 The Access Point could be configured to only allow
mobile devices with specific MAC addresses
 Today, attack programs exist that could sniff MAC
addresses, and then spoof them to gain access
MAC Access Control List
O9-2X-98-Y6-12-TR
10-U1-7Y-2J-6R-11
U1-E2-13-6D-G1-90
01-23-11-23-H1-80
……………………..
Access
Point
37
IP Address Filtering
 The Access Point could be configured to only allow
mobile devices with specific IP addresses
 Attacker could


Get IP address by guessing based on companies
range of IP addresses
Sniff IP addresses, then spoof them to gain access
IP Address Access Control List
139.67.180.1/24-139.67.180.30/24
139.67.180.75
139.67.180.80
139.67.180.110
……………………..
Access
Point
38
Access control at EIU
What is used at EIU today to
control access to the WLAN?
39
SSID: Apparent 802.11 Security
 Service Set Identifier (SSID)








It’s a “Network name” of up to 32 characters
Access Points come with default SSID. Example:
“tsunami” for Cisco or “linksys” for Linksys
All Access Points in a WLAN have same SSID
Mobile devices must know the SSID to “talk” to the
access points
SSID frequently broadcasted by the access point for
ease of discovery.
SSID in frame headers are transmitted in clear text
SSID broadcasting could be disabled but it’s a weak
security measure
Sniffer programs (e.g. Kismet, inSSIDer) can find SSIDs
easily
40
Wired Equivalent Privacy (WEP)
 Standard originally intended to make wireless networks
as secure as wired networks
 With WEP, mobile devices need to provide a shared
key to be authenticated and gain access

Typical WEP key length: 40-bit, 128-bit, 256-bit
 If a hacker intercepts, decrypts, and compares two
messages encrypted with the same key, he/she will
know the key
 Question: Besides through hacking, how can a WEP key be
leaked? What can be done to limit access by unauthorized
users?
1.
2.
3.
4.
5.
WEP authentication process
Open Source WEP Cracking software
Wireless station sends authentication request to AP
AP sends back a 128 bits challenge text in plaintext
aircrack-ng
Wireless station uses the RC4 encryption scheme to encrypt the challenge text and
its WEP key and sends result to AP
weplab
AP regenerate the WEP key from received result, then compare WEP key to its
WEPCrack
41
own WEP key
AP sends a success or failure message
airsnort
Wired Equivalent Privacy (WEP)
 Using a Initialization Vectors (IV)

To make the shared key hard to crack, WEP
uses a per-frame key that is the shared key plus
a 24-bit initialization vector (IV) that is different
for each frame/packet.

However, many frames “leak” a few bits of the
key

With high traffic, an attacker using readily
available software can crack a shared key in 2
or 3 minutes
42
Wi-Fi Protected Access (WPA)
 WPA extends the security of WEP/RC4 primarily by:


increasing the IV from 24 bits to 48 bits
Implementing a system for automatic rekeying
called TKIP (Temporal Key Integrity Protocol)
Cryptographic
Characteristic
Cipher for
Confidentiality
Automatic Rekeying
Overall Cryptographic
Strength
WEP
WPA
802.11i (WPA2)
RC4 with a
flawed
implementation
None
RC4 with 48-bit
initialization vector (IV)
AES with 128bit keys
Temporal Key Integrity
Protocol (TKIP), which
has been partially
cracked
Weaker but no
complete crack to date
AES-CCMP
Mode
Negligible
Extremely
strong
43
802.11i (or WPA2)
 In 2004, the IEEE 802.11 working group developed a
security standard called 802.11i to be implement in
802.11 networks.
 802.11i tightens security through the use of the AES
encryption scheme with a 128-bit key
 802.11i can be added to existing AP and NICs
 The128-bit key changes
44
Other protocols used in 802.11i
 Authentication and data integrity in 802.11i and
802.11x rely on the Extensible Authentication
Protocol (EAP) which has different options:

Wireless Transport Layer Security (WTLS) protocol
 Server and mobile devices must have digital certificates
 Requires that Public Key Infrastructure (PKI) be installed to
manage digital certificates

Tunneled WTLS
 Digital certificates are installed on the server only
 Once server is securely authenticated to the client via its
Certificate Authority, a secured tunnel is created.
 Server authenticates the client through the tunnel.
 Client could use passwords as mean of authentication
45
Using Authentication server
2.
Pass on Request to
RADIUS Server
1.
Authentication
Request
Applicant
(Lee)
5. OK
Use
Key XYZ
Access
Point
4. Accept
Applicant Key=XYZ
Directory
Server or
Kerberos
Server


RADIUS Server /
WAP Gateway
3.
Get User Lee’s Data
(Optional; RADIUS
Server May Store
Authentication Data)
RADIUS is an AAA (Authentication, Authorization, Accounting) protocol
Once user authenticated, AP assigns user individual key, avoiding shared key.
46
TCP/IP
Internetworking
Layered Communications:
Encapsulation – De-encapsulation
 Application programs on different computers cannot
communicate directly

There is no direct connection between them!

They need to use an indirect communication system
called layered communications or layer cooperation
Browser
HTTP Request
Web App
Transport
Transport
Internet
Internet
Data Link
Data Link
Physical
User PC
Physical
Webserver
48
Layer Cooperation on the User PC
 Encapsulation on the sending machine

Embedding message received from upper layer in
HTTP
a new message
request
Encapsulation of HTTP
request in data field of
a TCP segment
Application
HTTP req.
Transport
HTTP req.
TCP-H
Internet
HTTP req.
TCP-H IP-H
HTTP req.
TCP-H IP-H PPP-H
Data Link
User PC
PPP-T
Physical
TCP
segment
IP Packet
Frame
49
Layer Cooperation on the Web server
 De-encapsulation

Frame
Other layers pass successive data fields (containing next-lower
layer messages) up to the next-higher layer
HTTP
request
HTTP req.
TCP
segment
HTTP req.
TCP-H
IP Packet
HTTP req.
TCP-H IP-H
PPP-T
HTTP req.
TCP-H IP-H PPP-H
Application
Transmission media
Transport
Internet
Data Link
Webserver
50
Questions
1. What is encapsulation? On what machine does it
occur: sending or receiving machine?
2. If a layer creates a message, does that layer or the
layer below it encapsulate the message?
3. What layer creates frames? Segments? Packets?
51
IP Packet
Bit 0
0100
IP Version 4 Packet
Header
Version
Length
(4 bits)
(4 bits)
QoS
(8 bits)
Bit 31
Total Length
(16 bits)
Identification (16 bits)
Flags
Time To Live
Protocol (8 bits)
1=ICMP, 6=TCP,17=UDP
(8 bits)
Fragment Offset (13 bits)
Header Checksum (16 bits)
Source IP Address (32 bits)
Destination IP Address (32 bits)
Options (if any)
Padding
Data Field
 QoS: Also called Type of Service, indicates the priority level the packet should have
 Identification tag: to help reconstruct the packet from several fragments
 Flags: indicates whether packet could be fragmented or not (DF: Don't fragment), indicates whether
more fragments of a packet follow (MF: More Fragments or NF: No More Fragments)
 Fragment offset: identify which fragment this packet is attached to
 TTL: Indicates maximum number of hops (or routers) the packet could pass before a hop discards it.
 Header checksum: to check for errors in the headers only
52
Questions
 What is the main version of the Internet
Protocol in use today? What is the other
version?
 What does a router do with an IP packet if it
decrements its TTL value to zero?
 Assume that a router received an IP packet
with the Protocol in header set to 6. What
Transport layer protocol is used in the
message: TCP, UDP, or ICMP?
53
Subnet
1
IP Fragmentation
Subnet
2
 When a packet arrives at a router, the router selects the port and
subnet to forward the packet to
 If packet too large for the subnet to handle, router fragments the
packet; ie.


Divides packet’s data field into fragments
Gives each fragment same Identification tag value, i.e. the
Identification tag of original packet
 First fragment is given Fragment Offset value of 0
 Subsequent fragments get Fragment Offset values consistent with their
data’s place in original packet
 Last fragment’s Flag is set to “No More Fragments”

Destination host reassemble fragments based on the offsets.
Identification (16 bits)
Flags
Fragment Offset (13 bits)
54
Firewalls and Fragmented IP Packet
 Fragmentation makes it hard for firewalls to filter individual packets

TCP or UDP header appears only in the first fragment
 Firewall might drop the first fragment, but not subsequent fragments
 Some firewalls drop all fragmented packets
Router
2. Second
Fragment
4. TCP Data
IP
Field
Header
Attacker
1.34.150.37
No
TCP Header
1. First
Fragment
TCP Data
Field
IP
Header
3. TCP Header
Only in First
Fragment
5. Firewall
60.168.47.47
Can Only
Filter TCP
Header in
First Fragment
55
TCP Segment
Bit 0
Bit 31
Source Port Number (16 bits)
Destination Port Number (16 bits)
Sequence Number (32 bits)
Acknowledgment Number (32 bits)
Header
Length
(4 bits)
Reserved
(6 bits)
Flag Fields:
ACK, SYN,…
(6 bits)
TCP Checksum (16 bits)
Window Size
(16 bits)
Urgent Pointer (16 bits)
Data
 Port number: identifies sending and receiving application programs.
 Sequence number: Identifies segment’s place in the sequence. Allows receiving
Transport layer to put arriving TCP segments in order.
 Acknowledgement number: identifies which segment is being acknowledged
 Flag fields: Six one-bit flags: ACK, SYN, FIN, RST, URG, PSH. Can be set to 0
(off) or 1 (on). e.g. SYN=1 means a request for connection/synchronization.
56
TCP and use of Flags
Flag Fields
(6 bits)
URG ACK
SYN FIN RST
PSH
 TCP is a connection-oriented protocol

Sender and receiver need to establish connection

Sender and receiver need to agree to “talk”

Flags are used for establishing connection

Sender requests connection opening: SYN flag set to 1

If receiver is ready to “talk”, it responds by a SYN/ACK segment

Sender acknowledges the acknowledgment
If PC
sender does not get ACK, it resends the segment
Webserver
Transport Process
Transport Process
1. SYN (Open)

2. SYN, ACK (1) (Acknowledgment of 1)
3. ACK (2)
3-way
Handshake
Note: With connectionless protocols like UDP, there is no flags. Messages are 57
just sent. If part of sent messages not received, there is no retransmission.
Communication during a normal
TCP Session
Q1: How many segments are sent
in a normal TCP communication
opening? ____
Q2: How many segments are sent
in a normal TCP communication
closing? ____
Note: At any time, either
process can send a TCP RST
(reset) segment with RST bit
set to 1 to drop the connection
(i.e. to abruptly end the
connection).
58
SYN/ACK Probing Attack
1. Probe
60.168.47.47
2. No SYN (Open):
Makes No Sense!
SYN/ACK Segment
IP Hdr RST Segment
Attacker
1.34.150.37
5.
60.168.47.47
is Live!
4. Source IP
Addr=
60.168.47.47
Victim
60.168.47.47
3. Go Away!
 Sending SYN/ACK segments helps attackers locate “live” targets
 Older Windows OS could crash when they receive a SYN/ACK probe
59
Source Port Number (16 bits)
Destination Port Number (16 bits)
TCP and use of Port numbers
 Port Number identify applications

Well-known ports (0-1023): used by major server
applications running at root authority.


HTTP web service=80, Telnet=23, FTP=21, SMTP email =25
Registered ports (1024-49151): Used by client and server
applications.

Ephemeral/dynamic/private ports (49152-65535) Not
permanently assigned by ICANN.
Web server applications
www:80 FTP:21 SMTP:25
Operating System
Socket notation:
IP address:Port #
Computer hardware
RAM chip
HD
Processor
60
Questions
 A host sends a TCP segment with source port
number 25 and destination port number
49562.
1)
Is the source host a server or a client? Why?
2)
If the host is a server, what kind of service
does it provide?
3)
Is the destination host a server or a client ?
Why?
61
TCP and Port spoofing
 Attackers set their application to use well-known port despite not being
the service associated with the port
 Most companies set their firewall to accept packet to and from port 80
 Attackers set their client program to use well-know port 80
62
Questions
1. What is IP Fragmentation? Does IP fragmentation
make it easier for firewall to filter incoming packets?
Why?
2. What is SYN/ACK probing attack?
3. What kind of port numbers do major server
applications, such as email service, use?
4. What kind of port numbers do client applications
usually use?
5. What is socket notation?
6. What is port spoofing?
7. How many well-known TCP ports are vulnerable to
being scanned, exploited, or attacked?
63
IP Routing
Router
RoutingA
Router A
Interface
1
Router B
IP Routing
Packet to 60.3.47.129 Interface
2
Network
60.x.x.x
Routing Table for Router A
Matches
IP Address
Next-Hop
Route
Range Metric Router
Router C
Network
1
60.3.x.x
9
B
60.3.x.x
2 128.171.x.x 2
B
3
60.3.47.x
8
C
Host
Host
4
10.5.3.x
6
B
60.3.45.129
60.3.47.129
5 128.171.17.x 2
Local
6 of10.4.3.x
2
C
Because
multiple alternative
routes in router meshes,
routers may have several rows that match an IP address.
Routers must find All matches and then select the BEST ONE.
This is slow and therefore expensive compared to switching.
64
Vertical Communication on Routers
Router 1
A
Packet
Decapsulation
Frame
Internet Layer Process
Port 1
DL
Port 2
DL
Port 3
DL
Port 4
DL
PHY
PHY
PHY
PHY
Notes:
A. Router R1 receives frame in Port 1.
Port 1 Data Link decapsulates the IP packet.
Port 1 Data Link passes packet to internet Layer.
65
Vertical Communication on Routers
Router 1
B
Internet Layer Process
Port 1
DL
Port 2
DL
Port 3
DL
Port 4
DL
PHY
PHY
PHY
PHY
Packet
Encapsulation
Frame
Router 2
B. Internet layer sends packet out on Port 4.
Data Link process on Port 4 encapsulates packet in a DL frame.
Data Link process passes frame to Port 4 PHY.
66
Summary Questions
 How many layers are there in a router? A: 3
 Can a router be a software program? A: Yes
 Suppose that Computer 1 sends a message to
Computer 2. Assume that there are two routers (R1
and R2) along the route that leads to Computer 2.
Assume that a frame from the message is received
by R2 in Port 2. Which of the following will happen
next?
a)
b)
c)
d)
The Data Link layer process in Port 1 will de-encapsulate
the IP packet from the frame
The Physical layer will pass the frame to the Data Link
layer process in Port 2
The Data Link layer process in Port 2 will deencapsulate the IP packet from the frame
None of the above
67
IP Address
 IP is a connectionless protocol
 IP address is like postal addresses

Postal addresses are hierarchical: state, city, postal zone, street,
house address
 IP Addresses have the following hierarchy

Network number (tells what network the host is on)

Subnet number (tells what segment of network the host is on)

Computer number (identifies a particular computer on the segment)
 Routers look at network part (and segment part for some) to make
routing decisions
 Final router looks at Host part
68
Hierarchical IP Address
Network Part (not always 16 bits)
Subnet Part (not always 8 bits)
Host Part (not always 8 bits)
Total always is 32 bits.
139.67.130.13
The Internet
EIU Network
(139.67)
13
School of Business
Subnet
(130)
Host 13
139.67.130.13
69
IP Address notations
 IP addresses

Are really strings of 32 bits (1s and 0s)


Example: 10000000101010100001000100001101
Usually represented by four number segments
separated by dots: dotted decimal notation

Example: 128.171.17.13
127.18.47.145
127.47.17.47
70
IP Address Spoofing
 IP address spoofing is sending a message with a false IP address
with the intent to mislead the receiving device and gain access
1. Trust Relationship
Trusted Server
60.168.4.6
Victim Server
60.168.47.47
From: 60.168.4.6
To: 60.168.47.47
2.
Spoofed Source IP Address
60.168.4.6 is used.
Attacker’s Client PC
1.34.150.37
 Reasons for IP spoofing:


Anonymity
Exploiting trust relationship
71